Award-winning news, views, and insight from the ESET security community

Mysterious ‘Moon’ worm spreads into many Linksys routers – and hunts new victims

Malware dubbed ‘Moon’ due to images found within the malware has spread rapidly through many models of Linksys routers - even ones protected by passwords - it's still not clear how many are infected - or if the malware has a purpose beyond simply spreading.

Malware dubbed ‘Moon’ due to images found within the malware has spread rapidly through many models of Linksys routers – even ones protected by passwords – it’s still not clear how many are infected – or if the malware has a purpose beyond simply spreading.

A mysterious worm – dubbed ‘Moon’ due to images found within the malware – has spread rapidly through many models of Linksys routers, after being detected by staff at a Wyoming ISP. It’s still not clear how many are infected – or if the malware has a purpose beyond simply spreading.

Moon can infect routers without requiring a password, by scanning for open ports then sending a command to a vulnerable script. Machines infected with the worm immediately use available bandwidth to scan for other vulnerable routers on ports 80 and 800, according to Computer World.

“The request does not require authentication,” Johannes Ullrich of the Internet Storm Centre said. “The worm sends random ‘admin’ credentials but they are not checked by the script.”

When the attack was reported by an ISP in Wyoming, it was thought only a few Linksys routers were vulnerable, but that list has since grown, the ISC admits.

“We are aware of a worm that is spreading among various models of Linksys routers,” Ulrich says, “We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.”

“An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened,” said Ullrich continues.

“This may be a ‘bot’ if there is a functional command and control channel present,” Ullrich warns.

Detecting whether devices are infected is not easy, warns Ars Technica – offering some basic tips on how to spot infected routers in its report the Moon malware.

Routers have come under scrutiny from security researchers in the past year, after a series of demonstrations showed ways to break into the devices.

Many popular models of wireless router from brands such as Linksys and Netgear were found to be vulnerable to a ‘backdoor’, which could allow attackers access to the router’s admin controls, according to a report by Ars Technica – offering full access to the network.

The backdoor, in various models of wireless DSL router, could allow an attacker to reset the router and, “commandeer a wireless access point and allow an attacker to get unfettered access to local network resources,” Ars reports. “The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users.”

The backdoor was discovered by French researcher Eloi Vanderbeken who claimed to have uncovered it ‘by accident’ while investigating his family’s home router, noticing that the device was ‘listening’ for commands via a TCP port. Vanderbeken was able to use this to gain administrator privileges and reset the password, as he explains on Github here.

A Reddit thread discussing the recent backdoor said that, like other recent ‘backdoors’ in routers, it may have been left there by someone at the company, for easy debugging, “Most companies turn that “testing” stuff off before you ship for reasonably obvious reasons. Looks like someone forgot to do that, or left it in so they could debug returned routers that looked “bricked” in an easy way that worked almost all the time. I doubt it was nefarious.”